Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi WAN load balance with IPsec?

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      teslamad
      last edited by

      Have a scenario where I need a site to site VPN where one end of the site has two WANs. The customer wants the WAN load balanced specifically for the IPsec so he can use the full bandwidth for backups to the secondary site. Not sure if this is possible or not. I was thinking that only failover is possible. Any thoughts here? Ideally, we dont want to use DynDNS. Thanks

      Andrew Robinson
      Cloud Infrastructure Engineer
      Cisco Systems, Inc

      1 Reply Last reply Reply Quote 0
      • A
        Arancho Doc
        last edited by

        Hi,
        I was in the same situation some times ago and thinking on how to get this working I got to the conclusion that this was not possibile.

        At the beginning I thought this may be done by creating two VPNs connections and then routing the traffic over one of them according to specific rules.

        But at the end I discovered that NATting to IPSEC connections was not possibile.
        If this is not true (I mean it is possible to NAT to IPSEC) then you can realize what you want.

        IT should work this way.
        In normal conditions you have:
        1VPN Site A - LAN addresses 192.168.1.0/24 - WAN1
        1VPN Site B - LAN addresses 192.168.0.0/24 - WAN1

        To add a second VPN
        1VPN Site A - LAN addresses 192.168.1.0/24 - WAN1
        2VPN Site A - additional LAN addresses 10.1.1.0 - WAN2

        1VPN Site B - LAN addresses 192.168.0.0/24 - WAN1
        2VPN Site B - additional LAN 10.1.2.0/24 - WAN1

        Now that you have two VPNs you must route traffic coming from a specific server/workstation to the other LAN.
        As I mentioned before I was not able to NAT from 192.168.X.X to 10.1.X.X over IPSEC and this is why my idea failed.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          NAT has nothing to do with it. NATing IPsec connections is possible, but it does nothing for this scenario.

          It'd have to be routed in a means that isn't currently supported with IPsec. Might be possible with MLPPP over OpenVPN.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.